Site Navigation

Date:      Tue, 01 May 2001 10:29:15 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        Gunther Schadow <gunther@aurora.regenstrief.org>
Cc:        snap-users@kame.net, freebsd-net@freebsd.org, ipfilter@coombs.anu.edu.au, altq@csl.sony.co.jp
Subject:   Re: The future of ALTQ, IPsec & IPFILTER playing together ...
Message-ID:  <3AEEF26B.C6850070@isi.edu>
References:  <3AEEEE79.8F7CC7B0@aurora.regenstrief.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Gunther Schadow wrote:
> However, I understand that ALTQ works in the data link layer at
> the interface to the NIC. IPsec, however, works above that layer,
> even before the IPFILTER rules (on outgoing packets.) So, we have
> the following "pipe"
> 
>    IPSEC -----> IPFILTER -------> ALTQ

You should really look into using IPIP tunnels together with IPsec
transport mode. In that case, your packets loop through IP outbound
processing twice, allowing you to hook into "IP hacks" (ALTQ, ipfw,
ipfilter, etc.) at both the virtual network layer as well as the
physical network layer. If (and I'm not sure this is supported, but it's
easy to add) gif devices are ALTQified, you could apply ALTQ at the
virtual network level, before IPsec processing kicks in at the physical
network.

(For our X-Bone overlays, we do Dummynet processing for the virtual
network to simulate delays losses in the VPN; and apply IPsec after
tunneling).

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California
[-- Attachment #2 --]
0�#	*�H��

��0�

10	+0	*�H��


���0��0�A�
#0
	*�H��


0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.160
000824203008Z
010824203008Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��

	

larse@isi.edu0��0
	*�H��



��0�����\�p�9޻� H;�����v��֐�r��∩6��"C?mxf�J��f��7��
��I��[���3C�F�́�L	I
�-�����zHR���VA怤
2�]0-b��L�)���%X>�n�Ӆ

�w0u0*+e

!0
00
L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U

�00U#0����`�fU��X�F�a�#�Ì0
	*�H��


����_3��	��F�=%nW�Y-HXD�9�UO���c�6�ܰ�w�f�@u�ܶ�NԄR?��P�r}����E��1�֮2�3�������mF�h�ySwM_h|d y����R�����=��$�P ����0�0�}�

0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
990916140140Z
010915140140Z0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.160��0
	*�H��



��0�����iZ���z��]�!�#r�LK�~����r$�BR�W��{az���r98����e��^��e���yvL>�hpu��t�,O	1��A�rƦ]�D��.�M��օ>l�x�~@�эW��s�0�F�O

�7050U

�0

�
0U#0�rI�s4�U�vr�~w��Ʋ0
	*�H��


��k�Y�1�����rr��`H��U�{�g��ap�m¥7؝�(V��\uoƑ��lfq�|k�o��!6-���	��-mƃR����������t��\���~��
orzg,ks�����n���c)�	~U�1�
�0�
�

0��0��10	UZA10UWestern Cape10UDurbanville10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 1999.9.16#0	+���0	*�H��

	1	*�H��


0	*�H��

	1
010501172915Z0#	*�H��

	1��q���{���(I�"_H��C'0R	*�H��

	1E0C0
*�H��
0*�H��
�0+0
*�H��

@0
*�H��

(0
	*�H��



��d��M�\ ���v�(2�����#��C��\�5*׉.���v�̇|#{#$��V󻀖IE���,[�����ڔ΍s�0�R��͜>n^og|%0��T��ܧ�������F��e����s��S;�j�

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AEEF26B.C6850070>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact